Shavlik Protect 9.2 and Empower Beta Launch

EmpowerDashboard_edited

Shavlik is proud to announce the launch of Shavlik Protect 9.2 Beta and introduce the Empower platform. This simultaneous launch is a significant leap into a rapidly changing world. Shavlik Protect will continue to be the Data Center solution for patching critical systems and ensuring vulnerabilities are being plugged. Shavlik Empower is the platform that Shavlik will use to launch us into the future.

Empower is purpose built to manage your users, the devices they use and follow those users wherever they go. Empower will aggregate data from Protect, from other parts of your network and off network using the

Security and the “ART-ful” Enterprise

While every enterprise is different, there are three fundamental characteristics that appear common to every successful modern enterprise. The successful modern enterprise is:

Agile – able to navigate nimbly all types of internal and external change, expected and unexpected.

Resilient – able to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.

Trustworthy – able to credibly demonstrate and document operational transparency, in ways that both create and justify high levels of trust among all stakeholders.

One might even describe such an enterprise as “ART-ful.” If one were prone to such constructions. But I digress.

It turns out there is also a single prerequisite for all three of the characteristics that make an enterprise “ART-ful.” That prerequisite is security.  Specifically, user-centered security.

What is “user-centered security?” It’s a focus on what users use to do their jobs—applications, information, devices and network connections. Protect those things, and you can protect users from being victims of malware and other threats. Just as important and valuable, you can also protect users from being conduits into the enterprise for malware and other threats. All while keeping critical enterprise resources safe as well.

How to Achieve User-Centered Security

User-centered security is not only desirable, but achievable. Building upon research conducted by elements of the Australian government, the Canadian Cyber Incident Response Center (CCIRC) estimates that up to 85 percent of targeted attacks on IT environments are preventable by four simple steps:

  • Application whitelisting;
  • Timely application patching;
  • Timely operating system patching; and
  • Restricting of administrative privileges to those users who really need them.

Unfortunately, such protections are like smarter eating and exercise habits. More of us know what would be best for us to do, but we don’t always do those things.

Take patching. In an April 2015 alert, the US Computer Emergency Readiness Team (US-CERT) identified the “Top 30 Targeted High Risk Vulnerabilities.” The newest of these dates from 2014; the oldest is from 2006. That means that there are patches designed to remediate all 30 vulnerabilities but that many if not most enterprises have not yet installed those patches, for whatever reasons.

The bottom line here is that agility, resilience and trustworthiness are impossible without pervasive, ubiquitous, invisible, user-centered security and that such security begins with comprehensive, timely patching. Agility, resilience and trustworthiness are the pillars supporting the successful modern enterprise. User-centered security, starting with timely, effective patching, is the foundation that supports those pillars and enables the enterprise to implement the practices, processes and services that make agility, resilience, and trustworthiness possible.

To build that foundation, your enterprise must first automate, integrate, and optimize management of its IT security efforts, starting with patching. As these efforts make IT security more consistent and user-centered, that security can be expanded across all of the IT-empowered services that enable the business. Security and its effective management make up the bedrock that complements the foundation that supports the pillars of agility, resilience, and trustworthiness.

Of course, none of these strengths can be achieved or sustained by any processes or technologies alone. As with almost everything else a successful enterprise does, ART is achieved and sustained by people. Specifically, you and your people. In concert with colleagues from across your enterprise. Evolution into an ART-ful enterprise requires leaders, evangelists, champions and supporters to implement and manage the user-centered security policies, processes, technologies, and services that make ART—agility, resilience and trustworthiness—possible.

During the next few weeks, additional posts will dig a bit more deeply into the market forces driving the rise of the ART-ful enterprise and how your enterprise can achieve and sustain agility, resilience, and trustworthiness. Next up: “Your ‘ART-ful’ Enterprise: Agility.” More to come. Meanwhile, as always, your comments, questions, and stories are welcome.

Cybersecurity: We Are All Vulnerable. We Are All Responsible.

Ashley Madison, the Web site that encourages married people to have affairs, is dealing with the theft and public release by hackers of personal information for thousands of its clients. The Impact Team, the hackers who claimed responsibility, didn’t hack the site for money, and didn’t steal the personal information to sell it. According to a Washington Post report, The Impact Team accused Avid Life Media, the company behind the Ashley Madison site, of “fraud, deceit, and stupidity,” and of faking most of the site’s female user profiles.

Target’s balance sheet and reputation are both still suffering from its widely reported 2013 data breach. That incident involved personal data, including credit and debit card information, of up to 40 million customers. Most recently, Target has reportedly agreed to pay up to $67 million to Visa, on top of the $10 million Target had previously agreed to pay to customers affected by the breach.

Such current events make one thing increasingly clear; hacking can happen to any organization, at any time, for any reason or no obvious reason at all. You and yours can be deeply affected by a hack, whether you work for the hacked organization or not. Truly, we are all vulnerable.

But if it’s true that we’re all vulnerable, it’s equally true that we all have a role to play in making ourselves and our organizations more secure. In fact, it is credibly arguable that cybersecurity is too big to be left up to IT and security teams alone.

A recent article on CSO.com highlights how enterprises such as Automatic Data Processing (ADP), Johnson & Johnson, Akamai Technologies, and others are “crowdsourcing” their cybersecurity efforts. These companies are sharing information about threats, vulnerabilities, and countermeasures with internal teams and external organizations, including peer companies. They are also encouraging users, including customers, to report incidents and suspicious behaviors to IT support, security, or both, as soon as possible. The thinking is that applying more bodies and minds broadens the range of possible effective solutions to security threats.

This is part of a larger trend of extending responsibility for cybersecurity beyond IT. Instead, organizations are increasingly separating cybersecurity budgets and activities from mainstream IT and spreading security budgets, efforts, and awareness across the entire enterprise. One implication of this is that companies can end up investing more in security-related measures, such as user training, than reflected by the security or IT security budget.

According to a recent article in The Register, such dispersed spending can improved security when combined with some other key political moves. “In an ideal world, the CISO will have an independent role and a friendly ear on an informed board. They will have a strong interest in ensuring that IT in particular conducts its operations securely and will work with the CIO from a position of influence to help achieve that. To that end, the CISO will demand that each relevant line of business allocate some of their budget for cybersecurity purposes and task them to show results for it,” the article says.

Everybody, at every enterprise, is an actual or potential victim of cybersecurity threats, and everybody, at every enterprise, can make meaningful contributions to the avoidance and remediation of those threats. Those responsible for leading cybersecurity efforts simply need to engage, encourage, and guide the participation and support of every user and decision maker at their respective enterprises, within and beyond IT and security. It’s a daunting task, but the rewards can be considerable.

August Patch Tuesday Round-Up

Patch Tuesday + 8 days. Another big month from Microsoft, but it has continued past Patch Tuesday including a Zero Day IE update (MS15-093). Recapping the risks we have seen this month, there are now three exploited vulnerabilities from Microsoft for August. Two vulnerabilities have been publicly disclosed which increases the risk of exploit. Altogether, this is a busy month once again.

Windows 10 is continuing to be a hot topic. Some details have slowly been creeping out around how Microsoft really plans to roll-out updates on Windows 10. All updates will be cumulative. All updates will be bundled (August had six bulletins rolled into the single cumulative for Windows 10). These cumulative updates can include non-security fixes without notice or choice. We had the Patch Tuesday update and two additional cumulative since Patch Tuesday (KB3081436, KB3081438 which was the fix for the reboot loop, and KB3081444).

Here is the August summary:

 

AugustSummary2015

For full playback of the August Patch Tuesday Webinar or to sign up for future Patch Tuesday Webinars check out our Webinars page.

Bring out yer dead! I’m not dead yet says Patch Tuesday

Bringout

You can keep shouting “bring out your dead,” but Patch Tuesday is not dead yet. There is a large lineup this month on both the Microsoft and third party front, and even some Windows 10 updates to boot!

Patch Tuesday is always fun after a major security conference. We are going to see some fallout from the BlackHat conference last week, as security researchers showed off their skills with live exploits of popular browsers and plug-ins. Mozilla already released a security update last week and, for Patch Tuesday, we have updates for IE, Edge, Flash, Chrome and Java.

Microsoft

Microsoft has released 14 bulletins, four of which are critical. The critical updates affect Internet Explorer, Edge, Windows, .Net Framework, Microsoft Office, Microsoft Lync and Microsoft Silverlight. Two of the critical updates affect Office.

Exploits detected in wild: